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Abstract. It is well known that the verification of resource-constrained multi¬ 
agent systems is undecidable in general. In many such settings, resources are 
private to agents. In this paper, we investigate the model checking problem for 
a resource logic based on Alternating-Time Temporal Logic (ATL) with shared 
resources. Resources can be consumed and produced up to any amount. We show 
that the model checking problem is undecidable if two or more of such unbounded 
resources are available. Our main technical result is that in the case of a single 
shared resource, the problem becomes decidable. Although intuitive, the proof 
of decidability is non-trivial. We reduce model checking to a problem over al¬ 
ternating Biichi pushdown systems. An intermediate result connects to general 
automata-based verification: we show that model checking Computation Tree 
Logic (CTL) over (compact) alternating Biichi pushdown systems is decidable. 


1 Introduction and Related Work 

Research on resource-constrained multi-agent systems has become a popular topic in 
recent years, e.g. II7I8I2I13I1I3I . In particular, the verification of strategic agents act¬ 
ing under resource-constraints has been investigated by researchers; many of these ap¬ 
proaches extend the alternating-time temporal logic (ATL) |4] with actions that, in the 
general case, consume or produce resources. If no bound on the possible amount of 
resources is given the model checking problems are easily undecidable HI . Exceptions 
are possible if restrictions are imposed on the language a or on the semantics (ma¬ 
in many settings, resources are private to agents, each agent has its own set of resources. 
In lfj~3l resources are shared and a resource money is used to claim resources. The au¬ 
thors present a decidable model checking result which is possible as the amount of 
resources is bounded. In this paper we are interested in the model checking problem 
where resources are shared and unbounded; resources can be consumed and produced 
without an upper bound on the total number of resources. The setting is rather natural. 
Resources are shared in e.g., the travel budget of a computer science department. All 
departmental members compete for the travel budget. Parts of the travel money of a 
successful grant application will be credited to the department’s budget; there is no a 
priori bound on the total budget. 

In this paper, we show that the model checking problem for the resource agent logic 
RAL j8) considered here is undecidable in general when there are more than two of such 






unbounded shared resources. This result follows as a corollary from 18151 where model 
checking resource bounded systems with private, unbounded resources has been proved 
undecidable. Secondly, we show that model checking RAL is decidable in case of a sin¬ 
gle shared, unbounded resource. Although this seems intuitive, as a single unbounded 
resource can intuitively be encoded by a single stack/counter, its proof is (technically) 
non-trivial and is based on a reduction to alternating Biichi pushdown systems tnm. 
We first introduce compact alternating Biichi pushdown systems (CABPDSs) to encode 
the resource bounded models of our logic such that the runs of the automaton can be 
related to execution trees of a given set of agents in the model. We show that model 
checking CTL over these systems is decidable using results of lfl5l . Finally, we reduce 
model checking RAL to model checking CTL over CABPDSs. These results extend 
work on model checking CTL over pushdown systems where atomic propositions can 
be given by regular languages G2). The latter results, in turn, are based on a where 
reachability of alternating pushdown systems and model checking problems over push¬ 
down systems with standard labelling functions are investigated. Model checking CTL 
over pushdown systems and its computational complexity have also been considered 
in E). Our model checking problem is also related to reachability in Biichi games tm 
Many complexity results about ABPDSs and their variants are known and established 
in the above mentioned pieces of work. In our future research we plan to determine 
the exact computational complexity of the model checking problem for resource agent 
logic (RAL) over 1-unbounded resource bounded models. 

The paper is organised as follows. In Section[2]we discuss different resource types 
and introduce our version of resource agent logic with shared resources. In Section [3] 
we recall alternating Biichi pushdown systems (ABPDSs) and variants thereof. We pro¬ 
pose compact ABPDSs for encoding our models. We show that model checking CTL 
over them is decidable. In Section [4] we give our main decidability result for a single 
unbounded resource. Finally, in Section 0 we consider the general case and show that 
model checking is undecidability if at least two unbounded resource types are available, 
and conclude in Section^ 

2 Resource Agent Logic 

In this section we define the logic resource agent logic RAL and resource-bounded 
models. The framework is essentially based on 0. We begin with a discussion on 
different resource types which can be classified among different dimensions: 

Private resources are assigned to individual agents. 

Shared resources can be accessed by all agents; they are global. 

Consumable/producible resources can be consumed and produced. They often disap¬ 
pear after usage, like gasoline and energy, and may thus also be labelled fluent. 

Re-usable resources do not in general disappear after usage. They may also be pro¬ 
duced. 

Bounded/unbounded resource types characterise whether arbitrarily many resources 
can be produced or if there is a bound on the maximal amount. 

We note that the property of boundedness has a different flavour in comparison to the 
other properties. It is better understood as a property of the agents or of the specific 




modelling rather than of the resource itself. For example, the agent can only carry up to 
two heavy boxes, or there are legislations which prohibit to have more than three cars 
in a household. In this paper we are interested in shared, unbounded, consumable re¬ 
source types. That is, there is a common pool of resources for which all agents compete. 
Agents’ actions may consume resources or produce them, always affecting the common 
pool of resources. Moreover, there can be arbitrarily many resources of a resource type. 

Clearly, in real settings there will usually be a combination of different resource 
types. Adding bounded resources will in general not affect the decidability of model 
checking. Such resources can be encoded in the states, blowing up the model. One has 
to be more careful with unbounded resources. Having at least two unbounded resource 
types is often a first indication for an undecidable model checking problem if no other 
restrictions are imposed on the setting. Following the discussion above, we define a 
(shared) endowment (function) 77 : Ties —>• No to specify the available shared resources 
of the resource types Ties in the system; i.e., rj(r) is the number of shared resources 
of type r. With En we denote the set of all possible endowments. A special minimal 
endowment function is denoted by 0. It expresses that there are no resources at all. 

Definition 1 (Shared resource structure, unbounded). A (shared) resource structure 
is a tuple 91 = (Ties, (3) where Ties is a finite set of shared consumable resources. 
Function ft : Ties —> N U { 00 } is called resource bound. It specifies the maximal 
number of resources of a specific type in the model. We say that 91 is fc-unbounded iff 
the number of unbounded resource types is at most k. 

Syntax. Resource agent logic (RAL) is defined over a set of agents Agt and a set 
of propositional symbols II. RAL-formulae@ are essentially generated according to the 
grammar of ATL (4) as follows: p ::= p | —>p <p A ip | ((A^Xtp | ((A^pVt/t \ 
((A))^Gp where p £ II is a proposition and A C Agt is a set of agents. 

A formula ({A))^ip is called flat if p contains no cooperation modalities. The opera¬ 
tors X, U, and G denote the standard temporal operators expressing that some property 
holds in the next point in time, until some other property holds, and now and always in 
the future, respectively. The eventually operator is defined as macro: F p = T\3p ( now 
or sometime in the future). The cooperation modality ((A))^ assumes that all agents in 
Agt act under resource constraints. The reading of {(A))^p is that agents A have a strat¬ 
egy compatible with the currently available resources to enforce p. This means that the 
strategy can be executed given the agents’ resources. Thus, it is necessary to keep track 
of resource production and consumption during the execution of a strategy. 

Semantics. We define the models of RAL as in ED. We also introduce a special 
class of these models in which agents have an idle action in their repertoire that neither 
consumes nor produces resources. Note that a model with idle actions is a special case 
of the general model. 

Definition 2 (RBM, iRBM, unbounded). A resource-bounded model (RBM) is 
given by 9JI = (Agt, Q , 77, 7 r, Act, d, o, 91, t) where 91 = (Ties, (3) is a shared resource 

3 Note that we slightly change the notation in comparison with j8) where ((A))'*' has the meaning 
of ((A))^ gt . Moreover, we only use operators that refer to the currently available resources in 
the system. 



structure, Agt = {1,..., k} is a set of agents; n : FT —> 2® is a valuation of propo¬ 
sitions; Act is a finite set of actions; and the function d : Agt x Q —» 2" 4ct \{0} 
indicates the actions available to agent a G Agt at state q G Q. We write d a (q) in¬ 
stead of d(a , q), and use d(q) to denote the set d±(q) X ... x dk(q) of action profiles in 
state q. Similarly, dA (q) denotes the action tuples available to A at q. o is a transition 
function which maps each state q G Q and action profile a = («i,... , cr*,) G d(q) 
(specifying a move for each agent) to another state q' = o(q, a). Finally, the function 
t : Act x Ties —> Z models the resources consumed and produced by actions. We define 
prod(a,r) := max{ 0 , t(a, r)} (resp. cons(cr,r) := min{ 0 , i(a, r)}) as the amount of 
resource r produced (resp. consumed) by action a. For a = (cti,..., a.k), we use a a 
to denote the sub-tuple consisting of the actions of agents A C Agt. 

An RBM with idle actions, iRBM for short, is an RBM 3 71 such that for all 
agents a, all states q, there is an action a G d a (q) such that for all resource types r in 
3 Tl we have that t(a,r) = 0. We refer to this action (or to one of them if there is more 
than one) as the idle action of a and denote it by idle. 

A path A G Q u is an infinite sequence of states such that there is a transition 
between two adjacent states. A resource-extended path A G (Q x En) w is an infinite 
sequence over Q x En such that the restriction to states (the first component), denoted by 
A | q, is a path in the underlying model. The projection of A to the second component of 
each element in the sequence is denoted by A| En ■ We define A[il to be the v' + 1 -th element 
of A, and A [i, oo] to be the suffix A[*]A[z + 1].... A strategy^fox a coalition A C Agt 
is a function sa ■ (Q x En)+ Act A such that sa(( 5 o,%) ■ ■ ■ (? n ,%)) € d^(q n ) 
for (go, rjo) ■ ■ ■ (< 7 n, Vn) G (Q x En) + . Such a strategy gives rise to a set of (resource- 
extended) paths that can emerge if agents follow their strategies. A (q, p, SA)-path is a 
resource-extended path A such that for all i = 0,1,... with A[«] := ( q,. rj,) there is an 
action profile a G d(A|g[*]) such that: 

1. qo = q and po(r) = min{/3(r), p(r)} for all r G Ties (describes initial configura¬ 
tion); 

2 . sa(A[0, *]) = oca (A follow their strategy); 

3. A|q[* + 1] = o(A|q[*], a) (transition according to a); 

4. for all a.' G Act Agt \ A and for all r G Ties: qfr) > EaeAgt\A cons Ki r ) + 
Sag A cons ( a a, t) (enough resources to perform the actions are available); and 

5. p i+ i(r) = Pi(r) + EagAgt P rod ( a a) - EagAgt con s(c*a) for all r G Ties. 

Condition (iv) models that the opponents have priority when claiming resources. 

The (q, 77 , s A )-outcome of a strategy sa in q, out(q , p, sa), is defined as the set of 
all (q,p,SA)- paths starting in q. We also refer to this set as an execution tree of A. 
Truth is defined over an RBM 9 71, a state q G Q, and an endowment p. The semantics 
is given by the satisfaction relation |= defined below. 

9 71, q,p \= p iff p G iT and q G 7 r(p). 

9JI, q, p \= ipi A ip 2 iff 971, q,p\=ipi and 971, q, p \= 

4 We note that differently from 1811131 . our notion of strategy takes the history of states as well 
as the history of endowments into account. In the setting considered here such strategies are 
more powerful than strategies only taking the state-component into account. 





97T, q, r/ |= -up iff it is not the case that 97t, q, rj \= p 

971, q, ij |= ((A))^Xp iff there is a strategy sa for A such that for all A € out(q, rj, sa), 
q[1],V 1= 

971, q,r] \= ({A^ipXJip iff there exists a strategy sa for A such that for all A £ out(q, ij, sa), 
there is an i with i > 0 and 97t, A|q[«], A| En [i] |= p such that for all j with 0 < j < i 
it holds that 971, X\ Q \j], A| En [j] |= ^ 

971, q, r) \= ((A))'*' Gp iff there exists a strategy for A such that for all A G out( K q 1 r ;, s^) 
and all i > 0, 971, A|g[i], A| En [i] \= <P 

The model checking problem is to determine whether 97t, q, rj \= <p holds. 

Example. We illustrate the framework by extending the introductory example on 
the departmental travelling budget. Consider a department which consists of a dean d, 
two professors pi,p 2 and three lecturers l\. 1 2 , and I 3 . The department’s travel budget 
is allocated annually and can be spent to attend conferences. There are three categories 
to request money: premium, advanced, and economic. All options are available to the 
dean, the last two to professors, and only the last one to the lecturers. For instance, if 
the cost of attending PRIMA@is, depending on the category, $2000, $1000, and $500, 
respectively, then with an available budget of $4000 not all lecturers can be sure to be 
able to attend PRIMA. Because, the dean and the professors could all decide to attend 
PRIMA and to request the advanced category. In that case, only $1000 would remain, 
not enough for all lecturers to attend; formally specified, ((d,pi,p 2 ))'*'F(d A pi A P 2 A 
>(({^ 1 , 12 , ^ 3 }))'*'F(Ii AI 2 AI 3 )) is true where a proposition x expresses that “person” x is 
attending PRIMA. Equivalently, — 1 (({^ 1 , h, ^ 3 })) J 'F(li A I 2 A I 3 )) is true; this highlights 
that the opponents have priority in claiming resources. However, by collaborating with 
the professors, they have a strategy which allows all lecturers to attend, independent of 
the actions of the dean: i.e., ({{pi,p 2 ,h,l 2 , fa}))^F(li A I 2 A I 3 ). 

3 Model Checking CTL over Buchi Pushdown Systems 

We first review existing results on alternating Buchi pushdown systems (ABPDSs). 
Then, we use these results to give an automata-theoretic approach to model check CTL- 
formulae over compact ABPDSs. The latter will be used to encode RBMs in SectionQ] 

An alphabet r is a non-empty, finite set of symbols. I '* denotes the set consisting of all 
finite words over r including the empty word e. Typical symbols from /’ are denoted 
by a, 6 ,... and words by w, v,u,.. .. We read words from left to right. As before, we 
assume that II denotes a finite, non-empty set of propositions. 

3.1 Alternating Buchi Pushdown Systems 

We use words to represent the stack content. We say that word w = aj ... a„ is on 
the stack if ai is the lowest symbol, followed by a 2 and so forth. The symbol on 
top is a n . An alternating pushdown system (APDS) is a tuple V = (P,T,A) where 
P is a non-empty, finite set of control states, r a non-empty, finite (stack) alphabet, 

5 PRIMA is the acronym for the conference Principles and Pratice of Multi-Agent Systems. A 
short version of this paper was accepted for PRIMA 2015 6D. 



and d C (P x f) x 2 Pxf a transition relation 151161 . We call V a pushdown sys¬ 
tem (PDS) if (s,a)AX implies |2f| = 1 where X £ 2 Pxr . An alternating Biichi 
pushdown system (ABPDS) B = (P, P, A, F ) is defined as a APDS but a set of ac¬ 
cepting states F C P is added. In the following we focus on ABPDSs, but most of 
the definitions do also apply to APDSs and PDSs with obvious changes. A transition 
( p , a)A{(pi,wi),..., ( Pn,w n )} represents that if the system is in state p and the top- 
stack symbol is a then the ABPDS B is copied n-times where the ith copy changes 
its local state to p t , pops a from the stack and pushes w, on the stack, 1 < i < n. 
For a transition rule (p, a)A{(pi,wi),..., ( p n , w n )} and a stack content w £ P* we 
say that (p, wa) is an immediate predecessor of {(pi, ww\), ..., (p n , ww n )}. We write 
( P,wa ) =>g {(pi,wwi ),..., (p n ,ww n )}. We also say that {(p ly wwi ),..., ( p n ,ww n )} 
is an immediate successor of (p, wa). We often write (p, a)A{p ', w) for (p, a)A{(p ', u>)}. 
Finally, we would like to note that a stack bottom symbol can be defined the only pur¬ 
pose of which is to denote that the stack is empty. Apart from this the symbol is never 
touched. The introduction of ff simply requires adding # to P and to add a rules which 
pushes to the stack, before any other rule is applied. In the following we assume that 
is the stack bottom symbol whenever it appears in the text. 

A configuration of B is a tuple from Cnfg = P x P*. A c-run p of B, where c is 
a configuration of B, is a tree in which each node is labelled by a configuration such 
that the root of the tree is labelled by c. If a node labelled by (p, w) has n (direct) 
child nodes labelled by (pi,u>i),..., (p n ,w n ), respectively, then it is required that 
(p, w) =>g {(pi, tui),..., (p„, w n )}. We use TZb(c) to denote the set of all c-runs@ 
and TZb = UceCnfj? T^bU-)- We note that a run in a PDS V is simply a linear sequence 
of configurations. A p-path, p £ Pg(c), is a maximal length branch k = coCi... of p 
starting at the root node c. We shall identify p with its set of paths and write k £ p to 
indicate that n is a p-path. Again, in the case of a PDS V a run and a path in it are es¬ 
sentially the same. We say that k £ pis accepting if a state of F occurs infinitely often 
in configurations on k. A run is accepting if each path /,: £ p is accepting; and a config¬ 
uration c is accepting if there is an accepting run p £ Pg(c). We note that an accepting 
run of an ABPDS has only infinite branches. The language accepted by B, L(B), is the 
set of all accepting configurations. Finally, we define (P x r*) x 2 Pxr * as, 

roughly speaking, the reflexive transitive closure of =>g; that is, c { c i for all c; if 
c =>g C then c C; and if c =>g {ci,..., c„} and a =>g Ci for every 1 < i < n, 
then c =>g (Ji Ci. 

A nice property of an ABPDS is that its set of accepting configurations is regular, 
in the sense that it is accepted by an appropriate automaton which is defined next. An 
alternating automaton 0 is a tuple A = ( S , 27, <5, /, Sf) where S' is a finite, non-empty 
set of states, )CSxTx2 s isa transition relation, 27 an input alphabet, ICS a 
set of initial states, and Sf C S a set of final states. Similar to =>g we define the 
reflexive, transitive transition relation (S x 27*) x 2 s as follows (where we write 

s S’ for ( s,w,S ') £—X^): s A- a {s}, if (s,a, S') £ S then s S', and if 
s —{si,..., s n } and s, : —Si for 1 < i < n then s — Si. The automaton 


6 Sometimes, we assume that elements in X in a transition ( p,a)AX are ordered and corre- 
spondently the branches in a run. 





accepts (s , w) £ S x E* iff s S' with S' C Sf and s £ I. The language accepted 
by A is denoted by L(A). A language is called regular if it is accepted by an alternating 
automaton. Finally, for a given ABPDS B = (P, P, A, F) we define an alternating B- 
automaton as an alternating automaton (.S', E , 6.1. Sf) such that / C P C S and 
r = E. We recall the following result from 031 : 

Theorem 1 dflSl). For any ABPDS B there is an effectively computable alternating 
B-automaton A such that L(A) = L(B). 

The authors of E3 do also determine the size of the automaton. As we are not con¬ 
cerned with the computational complexity in this paper, we omit these results. 

3.2 Model Checking CTL over PDSs 

The Logic CTL. Computation Tree Temporal Logic (CTL) fl2l can be seen as the 
one agent, non-resource-constrained variant of RAL. Formulae of the logic are defined 
by the grammar: ip ::= p | -i ip | ip A <p | EXtp | EGy> | E^ipUt/j) where p £ II. 
E denotes the existential path quantifier. E tp expresses that there is a run on which 
tp holds. The Boolean connectives are given by their usual abbreviations. In addition 
to that, we define the macros F</> = TUy;, A Xip = -iEX-i^j, AG<^ = ->EF-i<^, and 
ApUip = —'E((—i'0)U(— A -i^)) A —iG—>?/’. Thus, Atp is read as <p holds on all runs. 
The other temporal operators have the same meaning as for RAL. Moreover, for our 
constructions it is assumed that CTL-formulae are in negation normal form, that is 
negation only occurs at the propositional level. This makes it necessary to allow the 
connective V (or) and also the release operator R as first-class citizens in the object 
language. Therefore, we use the following macros: Ap-\ R 922 = “'E(—i<,pi)U(—'^ 2 ) and 
E</?iR<y92 = -, A(-ic/?i)U(-'</? 2 )- A subformula of a formula ip is a formula that occurs 
in tp, including ip itself. The closure of ip, cl (<£>), is the set of all subformulae of ip. 
We define the set II + (ip) = {p £ II \ p £ cl(</?)} and II~(ip) = {p £ II | ->p £ 
cl ((/?)} containing all propositional variables that occur positively and negatively in ip, 
respectively. Later, we also need a special closure cIr(</j) which consists of all formulae 
of the form A(<^iR(^ 2 ) or E^iRt^) of cl(</?). 

Model Checking over Pushdown Systems. The problem of CTL model checking 
over PDSs has been considered in, e.g., USEE). We now recall from ESI how the prob¬ 
lem is defined. First, the PDS is extended with a labelling function lab to give truth to 
propositional atoms. In ESI two alternatives are considered. The first alternative assigns 
states to propositions, lab : 77 —» 2 P . The second alternative assigns configurations to 
propositions, lab : II —> 2 Pxr . In the following we only consider the second, more 
general alternative as this is the one we shall need for model checking RAL. For this 
type of labelling function we need a finite representation. We call lab regular if there is 
an alternating automaton A p with L(A P ) = lab(p) for each p £ II. We are ready to give 
the semantics of CTL-formulae over a PDS V = (P, P, A), c £ Cnf-p, and a regular 
labelling function lab : II —>• 2 Pxr . The semantics is defined by |= as follows: 

V, c, lab 1= p iff c £ lab(p): 

V, c, lab |= -1 ip iff it is not the case that V, c, lab |= ip: 

V , c, lab |= ipi A if 2 iff it is the case that P, c, lab |= ip\ and P, c, lab |= ip^. 




V, c, lab |= E Xcp iff there is a c-run p = coci,... £ TZ-p{c) such that V, ci, lab |= p: 

V, c, lab |= EGp iff there is a c-run p = coCi, ... £ TZ-p(c) such that V, c,, lab |= ip 
for all * > 0: 

V, c, lab |= Ep\Vp 2 iff there is a c-run p = CoCi, ... £ 1Z-p{c) such that there is an 
* £ No with V, Ci, lab |= ip? and for all 0 < j < i we have that V, Cj, lab \= p\. 

The authors of fl5l give a model checking algorithm which uses ABPDSs. They 
construct from V, lab and p, an ABPDS B-p^ such that V, (p, w), lab |= p iff ((p, p), w) £ 
L(B-p^). The ABPDS is essentially the product of the PDS V with the closure of p, in 
particular states of Bp are tuples ( p, ip) £ P x cl(<^). The existential and universal 
path quantifiers of the formula cause the alternation of the ABPDS. We will give more 
details in Section liOl where we consider model checking CTL-formulae over ABPDSs. 

We finish this section by recalling the following theorem which follows from Theo¬ 
rem Q] 

Theorem 2 (03)). For a given PDS V, a regular labelling function lab, and a CTL- 
formula p there is an effectively computable alternating automaton Ap }lp such that 
for all configurations c = ( p,w ) £ Cnf-p the following holds: V,c,\zb \= p iff 
{{v,<p),w) e L(Av,cp)- 

3.3 Model Checking CTL over ABPDS 

For our later results, we need to be able to define the truth of CTL-formulae over 
ABPDSs rather than PDSs. We extend the result of Theorem [2] accordingly. Let an 
ABPDS B be given. We first discuss what it means that B, c, lab [= Eip. As before, we 
interpret it as: there is a run p £ TZjb(c) on which ip holds. However, given that p is a 
tree in the case of ABPDSs (or a set of paths) we need to explain how to evaluate ip on 
trees. We require that p must be true on each path k £ p on the run. This can nicely 
be illustrated if B is considered as a two player game where player one decides which 
transition to take, and player two selects one of the child states. Thus, E <p expresses 
that player one has a strategy in the sense that it can enforce a run p such that player 
two cannot make p false on any path k £ p. The precise semantics is given next where 
c £ Cnfg, and lab is a regular labelling function as before: 

B, c, lab 1= p iff c £ lab(p); 

B, c, lab |= -up iff it is not the case that B, c, lab |= ip\ 

B, c, lab 1= pi A p >2 iff B, c, lab |= p\ and B, c, lab |= p 2 , 

B, c, lab |= EX<^ iff there is a c-run p £ 72.g(c) such that for all paths coci ... £ p it 
holds that B, ci, lab |= p\ 

B, c, lab |= EG</3 iff there is a c-run p £ 1Zb{c) such that for all paths coci ... £ p it 
holds that B,Ci, lab |= p for all i > 0; 

B, c, lab |= Epi\]p 2 iff there is a c-run p £ 1Zb(c) such that for all paths cqC\ .. . £ p 

there is an * £ No with B,Ci, lab |= p 2 and for all 0 < j < i we have that 

B, Cj, lab |= p x . 

We are ready to give a variant of Theorem [2] over ABPDSs. It follow from Lemma [T| 
given below in combination with Theorem [Q 


Theorem 3. For a given ABPDS B, a regular labelling function lab, and a CTL -formula 
p there is an effectively computable alternating automaton Ab, v such that for all con¬ 
figurations c = ( p,w ) £ Cnfg the following holds: B,c, lab |= p iff ((p,p),w) £ 
L(Ab,<p)- 

The proof of the theorem is closely related to the proof of Theorem[2]given in m. 
Here, however, the branching in the resulting ABPDSs can have two different sources: 
branching can result from branching in the input ABPDS or from the universal CTL- 
path quantifier. We sketch the construction of B p for a given ABPDS B = (P, P, A, F), 
a regular labelling function lab : 77 —> 2 Pxr , and a CTL-formula p. 

First, for each p £ II let A p = (S p , P, <5 p , I p , P p ) denote the alternating P-automaton 
that accepts L(A P ) = lab(p), and _4-, p be the alternating automaton with L(A^ P ) = 
P x P*\lab(p). Due to technical reasons, we make the state spaces disjoint. We add p 
as subindex to every state of S p ; for example, a state p becomes p p . Note, that it then 
holds that L(A P ) C P p x P* rather than L(A P ) C P x P* where P p is the set of 
renamed states of P. In particular, the automaton B p will include states (p, p) which 
are connected to an initial state of the form H p . This initial state of A p is denoted by p p ; 
we proceed similarly for „4^ p . The ABPDS B v = (P', P, A', F') is defined as follows 
(cf. Section lT2l for the notation used): 

- P' = (P x cl(:p)) U U P e 7 T+( ¥ ,) u U P e 77 -( v ,) S-, p 

- F' = (P X cl R ((p)) U U p 6 7 T+( ¥ ,) U U p eil-(*st) F^p 

- A' C (P' x P) x 2 p ' xr ’ is the smallest relation such that: 

1- ((p,p),a)A'(pp,a)forp£lI 

2- {{p, -, p), a)A'(p-, p , a) for p e P 

3. ((p, p A tp), a)A'{(p, p),a), ((p,tp),a)} 

4. ((p, p V tp), a)A'{(p, £), a)} for £ € {p, tp} 

5. ((p, EXp),a)A'{((p',p),w') | (p', w') £ X} for each (p, a) AX 

6 . ({p, AXp), a)A 1 

U( p,a)AX {((p',P)X) I (p',w’) £ X} 

7. ((p,EpVtp),a)A'((p,tp),a) 

8 . ((p,EpVtp),a)A'{((p,p),a)}U {((p',EpVf),w') | ( p',w ') £ X} for each 
(P; a) AX 

9. ((p, ApUtp),a)A'((p,tp),a) 

10. ((p,ApU'ip),a)A , {((p,p),a)}U(J MAX {((p',Ap[Jtp),w') \ (p',w') £ X} 

11. ((p,EpRtp),a)A'((p,p),a) 

12. ((p, EpRtp),a)A'{((p,tp),a)} U {((p',EpRtp),w') | (p',w') £ Xj for each 
(P; a) AX 

13. ((p,ApRtp),a)A'((p,p),a) 

14. ((p,ApRtp),a)A , {((p,tp),a)}U{J ipa)AX {((p , ,ApRtp),w , ) \ (p',w') £ 

15. If (s, a, S') £ (UpeTT+M 5 p u U pG 77 - (¥ ,) <5-p) then 0 , a)A'{(s', e) \ s' £ S'} 

16. IfsG (U pG 7 j+( ¥ ,) Fp U U pG / 7 -(¥>) ^p) t ^ ien ( s 5 4f)A'(s, 4f) 

Intuitively, B p simulates the semantics of CTL over ABPDSs and keeps track of the 
formulae to be satisfied. Let us consider rule 5 and suppose that the current configura¬ 
tion of B v is ((p, E Xtp),wa). Then, B v selects one set X (this models the existential 


quantifier E) with (p, a) AX and sends a copy of B p to each of the successor state in X 
(this models the temporal operator X). Rule 15 is responsible for simulating the alter¬ 
nating automaton at the propositional level and 16 ensures that the acceptance state of 
the alternating automaton also yields an accepting path of B P . The final states include 
states of type P x cIr(<p) to ensure that formulae are accepted which are never released. 
For further details of the standard functioning we refer to US). We note that rules 5-14 
had to be modified to work with ABPDSs. For a proof sketch of the next Lemma, we 
refer to the more general Lemma [2] 

Lemma 1. Using the notation above, we have the following: B, (p, w), lab |= if) iff 
((p, ip),w) e L(B p> )for all ft e cl(<p). 

3.4 Compact ABPDS 

Our reduction of model checking RAL to an acceptance problem over ABPDSs relies 
on an encoding of an 1-unbounded iRBM as an ABPDS. Roughly speaking, the stack 
is used to keep track of the shared pool of resources. A technical difficulty is that an 
action may consume several resources at a time, whereas an ABPDS can only read the 
top stack symbol. Therefore, we introduce a more compact encoding of an ABPDS 
which allows to read (and pop) more than one stack symbol at a time. 

Given a natural number r > 1, an r-compact ABPDS (CABPDS) is a tuple C = 
(P, P, A, P, r) where all ingredients have the same meaning as in an ABPDS with the 
exception that A C P x P- r x 2 Pxr where P- r = (Ji=i P ! denotes the set of 
all non-empty words over P of length at most r. This models that the selection of the 
next transition can depend on up to the top r stack symbols. All notions introduced so 
far are also used for CABPDSs. Note that in a configuration (p, a\ ... a n ) a transition 
(p, b 1 ... bj)A{(pi,wi),..., (p m , u> m )} can only be taken if, and only if, n > j and 
a n-j+i ■■■an = bi ... bj. In that case (p, a 1 ... a n ) => c {ipi, • • • a n _jWi), ..., 
(p m , a\... a n -jW m )}. Obviously, a 1-compact ABPDS is simply an ABPDS. 

A CABPDS is no more expressive than a “standard” ABPDS. Essentially, the top 
r stack symbols can be encoded in the states of an ABPDS. We make this intuition 
precise. Let C be the r-compact ABPDS given above. We define the ABPDS B(C) = 
(P', P, A', F) consisting of the following elements: 

- P' = PUPx r~ r x P- r_1 where states in P are called real states, and all other 
states storage states. A storage state has the form (p, w, v ) and encodes that word 
w should be popped from the stack where its prefix v remains to be popped. 

- A’ C P' x P x 2 P xr is the smallest relation satisfying the following properties: 
For all p e P, a € P, w, v £ P + and X C P x P*: 

1. If (p, a) AX then (p, a)A'X\ 

2. If (p, wa)AX then (p, a)A'((p, wa, w),e); 

3. ((p, vaw, va), a)A'((p, vaw, v), e) provided that (p, vaw)AX; 

4. ((p, aw, a), a)A'X provided that (p, aw) AX. 

We briefly explain these conditions. When a transition of C pops only a single symbol 
from the stack, it is also a transition in B(C) (rule 1). If a transition of C pops more 
than one symbol the transition is split into several in £>(C). The first symbol and the 


transition to a storage state is described by Condition 2: the top symbol a is popped 
from the stack and the next state is (p, wa, w). It expresses that wa should be popped 
and that w remains to be popped (a has been popped by this very rule); note that e in 
this transition means no symbol is pushed on the stack. Condition 3 describes how to 
pop a single symbol a from a storage node where va is the word which remains to be 
popped in order to complete the simulation of the transition (p, vaw)AX. Finally, the 
last rule is applied if all but the last symbols a of the transition (p, aw) AX that is being 
simulated is read and can be popped from the stack. This completes the encoding and 
we obtain the following result: 

Proposition 1. For any r-compact ABPDS C = (P, P, A, F, r) we have that c £ I AC) 
iff c £ L(B(C)), for all configurations c £ P x P*. 

Proof. In the following, we define a function / which translates a run p £ IZc into 
one of K B (cy Let p= (p, w) (pi,..., p n fl and (pj, Wi) be the root of pi. This means 
(p, w) =>e {(pi, wf) | 1 < i < n}. Then, / is defined by induction on the structure of 
p as follows: 

- if (p, w) => c {{Pi, Wi) | 1 < i < n} is generated by (p, a)A{(p il w() | 1 < i < n} 
for some a £ P, then f(p) = (p, w)(f(px),... ,f(p n ))', and 

- if (jp,w) =>e {{Pi,Wi) | 1 < i < n} is generated by (p, a x ... a m )A{(pi, w() \ 
1 < i < n} for some m > 1 and oi,..., a m £ P (i.e., w = w'a\... a m ), then 
f(p) = (p, w)(({p, ax... a m , ax..., a m -i),w'ax ■ ■ ■ a m _i)(... (((p, Oi... a m , 
ax),w'ax)(f(pi), ■ ■ ■, f{pn))) •■•))■ 

Furthermore, for any path k £ f(p), we can pinpoint, by abuse of notation, the corre¬ 
sponding path / - 1 (k) in p as 


- f~ 1 ((p,w){p i ,w i ) ...) = ( p,w)f~ 1 {(p i ,w i ).. .); and 

- / _ 1 ((P) w){(p, ax... a m , oi... a m _i), w'ax ■ ■ ■ a m -i) ■ ■ ■ ((p, ai... a m , ax),w' 
ax){pi,Wi)...) = ( p,w)f~ 1 {{pi,w i )...). 

Obviously, any state occurring infinitely often in / - 1 (k) also appears infinitely often in 

K. 

(=>) : Assume that c £ L(C), then there exists an accepting run p £ lZc(c). Then 
f(p) £ P-e(c)( c )- For each k £ f(p), / _1 (k) is accepting, i.e., some state in F occurs 
infinitely often in re; hence, it also occurs infinitely often in re, showing that f(p) is 
accepting, i.e., c £ L(13(C)). 

(<t=) : The proof is done analogously to the above case where the function / -1 is used 
to translate an accepting run p £ P^(C) ( c ) i nt0 that of lZc(c). □ 

The next corollary is easy to see: the language L(C) = L(B(C)) is regular as L(B(C)) 
and P x P* are regular and regular languages are closed under intersection. 

Corollary 1. L(C) is regular. 

7 We denote with c(pi,..., p n ) a tree with root c which has n direct sub-tree pi,..., p n starting 
at the child nodes of c. 



3.5 CTL Model checking over compact ABPDSs 

In this section, we consider model checking CTL over CABPDSs. Given an r-compact 
ABPDS C = (P, P, A, P, r), a regular labelling function lab : II —> 2 Pxr * and a CTL- 
formula over 77. Assume that for each a € 77 + (<p), lab(a) is accepted by an alter¬ 
nating automaton A p = (S p , P, <5 p , I p , P p ); and for each p £ 77“ (<p), the complement 
Px P*\lab(p) is accepted by an alternating automaton A-, p = (S-, p , P, <5-, p , 7^ p , F~, p ). 
We assume the same notational conventions wrt. disjointness and renaming as discussed 
in Section U3l We define the r-compact ABPDS C v = (P', P, A' , F' , r) as follows: 

- P' = (P X cl(tp)) U U p e/ 7 +( v ) U U P G/ 7 -( v ) 

- P' = (P X cIr.(<p)) U U p g7T+(v3 ) ^P U UpG77-((p) ^P’ anC * 

- A' is the smallest relation satisfying rules 1-14, 16 given in Section [331 where 
symbol a is replaced by word w everywhere, and rule 15 of Section [3731 is taken 
without any changes. 

The intuition of the construction of C v is the same as for B P . We obtain the result: 

Lemma 2. Using the notation above, we have the following: C,(p,w), lab (= ip iff 
((p,ip),w) £ L(C V ) for all ip £ cl(yj). 

Proof (Sketch). (=>) : Assume that C, ( p , w ), lab (= ip. We prove that ((p, ip), w ) has 
an accepting run in C p by induction on the structure of ip. 

Case ip = p: Since C, ( p , w), lab |= ip, (p, w) £ lab(p). Then, in _4 p we have p p 
S' where p p £ I p and S'CP p C F'. Then, ((p, p),w) (p P ,w) =>* c<p {(s',#) 1 
s' £ S’} {(s',#) | s' £ S"} • • • (by rules 1, 15 and 16) which is an 

accepting run in 7?c. 

Cas tip = ipiVip 2 : Since C, (p,w), lab |= ipi\/ip 2 ,C, ( p,w ), lab |= ipi orC, (p,w), lab |= 
ip 2 . Without loss of generality, let us assume that C, (p, w), lab (= ipi. By induction hy¬ 
pothesis, we have ((p,ipi),ui) £ L(C V ), i.e., there is an accepting ((p,ipi),uu)-mn p. 
Then, we construct a ((p,ipi V ipf), in)-run as ((p, ipi V ip 2 ),w)(p) which is obviously 
accepting. Hence, ((p,ipi V ip 2 ),w) £ L(C V ). 

Case ip = ipi/\ip 2 ‘. Since C, (p, w), lab |= ipi/\ip 2 , C, (p, w), lab ipi andC, (p, w), lab 
|= ip 2 - By induction hypothesis, we have ((p,ipi),w) £ L(C V ) and ((p. ip 2 ),w) £ 
L(C V ), i.e., there exist a ((p, ipi), w)-run p\ and a ((p, 1 P 2 ), w)-run P 2 which are both 
accepting. Then, we construct a ((p, ipi At/> 2 ), tc)-run as ((p, ipi A ^ 2 ), w)(pi, pf) which 
is obviously accepting. Hence, ((p, ipi A ip 2 ),w) £ L(C V ). 

Case ip = EX^i: Since C, (p, w), lab \= ip, there exists a (p, w;)-run p = (p, w)(pi ,..., 
Pn jl for all roots ( Pi,Wi ) of pi, C,{pi,Wi), lab |= ip\. By induction hypothesis, for all 
1 <i <n, we have ((p i; ipi), Wi ) £ L(C V ), i.e., there exists an accepting ((p i; ip\), wf)- 
run pf Then, we construct a ((p, EXt/ii), u>)-run as ((p, EX^i), w)(p[, 

..., p ' n ) which is obviously accepting. Hence, ((p, EX^i), w ) £ L(C V ). 

Case ip = EipiUi/.^'. Since C, (p, u>), lab |= there exists a (p, wj)-run p such that, for 
all paths k = {po,Wq)(p1,Wi) ... £ p £ 7 Zc{{p,w)), 3 i K > 0 such that C, (pf K ,wf K ), 


Recall that c(pi,..., p n ) denotes a tree which is rooted at c and has n direct sub-trees 

pl, • • • , pn- 



lab |= ip 2 and VO < j < i K we have that C, (pf, w f), lab |= ipi. By induction hypothe¬ 
sis, we have ((p?,^), w* k ) £ L(C^) and ((pf,^ i),Wj) £ L(C V ) for all 0 < j < i K . 
Now, we show that ((pf, ip),w!p) £ L(C V ) for all k £ p and 0 < i < i K by induction 
on i K — i (the claim follows for * = 0, then we have ((p, ip), w) £ L(C V )): 


Base case: Assume that i = i K , then ((pf ip), wf ) =>c,„ ((pf , "02)• wf ) by rule 7. 

Since ((p^,ip 2 ),wfj £ L(C V ), we have that ((pfj, ip), wfj £ L(C V ). 

Induction step: Assume that ((pf,t/>),«;f) £ L(C for all k G p and 0 < i < i K . 
Consider an arbitrary k £ p and ((p'p_ 1 ,ip),w l p_ 1 ). Then, there exists a tran¬ 
sition (p£_ 1 ,UJ?_ 1 )AX' such that X = {( pf ,wf) \ n' £ P, (Pi-i, w i-i) = 
(pf_i, i.e., the transition taken at (p'p_ 1 ,w^_ 1 ) in p. Then, by induction 

hypothesis, ((pf' ,ip),w?) £ L(C V ) for all n' £ p with {pCi,K-i) = (Pf-i, 
wf^)', i.e., ((p', ip), w') £ L(C V ) for all (pf w') £ X. Moreover, we have that (i) 
{{Pi-i,^),Wi- 1) {((pf_ i,t/>i),<_i)} U {{(p',ip),w') | {p',w') £ X } and 

(ii) ((pf_G L(C V ). Therefore, ((pf_ 1; V>)>wf-J G L(<0). 


For the other cases of ip, the proofs are similar. 

(=0 : Assume that ((p,ip),w) £ L(C V ), then we prove that C, ( p,w ), lab |= 0 by 
induction on the structure of ip. 

Case ip = p: Since ((p, p),«j) £ L(C V ), there exists an accepting (p, p), ui)-run p. 
Furthermore, the prefix of p must satisfy the following: ((p, p), w) =>c v (p P , w) 

(/, #) for some / G F p . Thus, A p has a run p p f, i-e., (p, w) £ L(A P ) = lab(p). 
Flence, C, (p, w), lab |= p 

Case ip = ip\ Vip 2 : Since ((p, ipiVip 2 ), w) £ L(C V ), there exists an accepting ((p, ipi V 
ip 2 ),w)-mn p. Furthermore, p must have the form ((p,ipi V ip 2 ),w)(p') where p' is 
rooted at either {{p,ip{),w) or (( p,ip 2 ),w). Without loss of generality, let us assume 
((p, ipi), w) is the root of p'\ then p' is an accepting run, i.e., ((p, 0i), w) £ L(C V ) By 
induction hypothesis, we have C, (p, w), lab (= ipp, thus, C, (p, w), lab |= 0i V ip 2 . 
Case ip = ip\ /\ip 2 : Since ((p, ipi/\ip 2 ), u>) £ L(C V ), there exists an accepting ((p, ipi A 
ip 2 ), u>)-run p. Furthermore, p must have the form ((p, ipi A ip 2 ),w)(p\, p 2 ) where pi 
is rooted at ((p, ipi), w). Then, pi and p 2 are both accepting, i.e., ((p, ipi), w) £ L(C V ) 
and (( p,ip 2 ),w) £ L(C^). By induction hypothesis, we have C, (p,w ), lab |= ip\ and 
C, ( p,w ), lab |= ip 2 \ thus, C, ( p,w), lab |= ipi A ip 2 . 

Case ip = EX^i: Since ((p, EX0), w) £ L(C V ), there exists an accepting ((p, EXr/>i), 
w;)-run p. Furthermore, p must have the form ((p, EXipi),w)(pi,..., p n ) for some 
(p, a±... a m )A{(pi,wi),..., (jp n , w n )} where w = w'a\ ... a m and pi is rooted at 
((Pi,ipi),'w'w , i ). Then, for all 1 < i < n, pi is accepting, i.e., ((p,, ipi), w'w'i) £ 
L(C V ). By induction hypothesis, we have C, (p,, w'w'i), 1= thus, C, (p, w), lab |= 

EXVa- 

Case ip = Eip\\Jip 2 : Since ((p, Et^iUV’ 2 ), w) £ L(C v ), there exists an accepting 
((p, E^iU^), tn)-run p. We convert p into a prefix g(p) of some run in C by induc¬ 
tion on the structure of p as follows: 


- fl(((p, E^ith/^), w)(p')) = (p, w) where p' is the only direct sub-tree of the root 
of p according to Rule 7 given in Section 1331 and 


- g(((p, ^■faVfa),w){p',p 1 ,...,p n )) = (p,w)(g(pi),...,g(p n )) for some ((p, 
EV»iU^ 2 ),w) {((p,fa),w)} U {((p, Efa\Jfa),w') | (p'X) G X} where 

(p, in) =>c -X” according to Rule 8 given in Section [331 

Then, every path k = (po,wo). ■. (p m , w m ) G g(p) (for some m > 0, po = p, and 
wq = w ) corresponds to a prefix of a path in p which has the form ((po, EfaUfa),Wo) 

... ((p m , E fall fa), u’m)((Pm, fa), w m ) f° r some to > 0. Furthermore, for all i < to, 
{(Pi,fa)> w i) i s the direct child of {{p i: EipiXJfa), wf). Then, for all i < m, {(j>i,fa), 
Wi) G L(Ccp) and ((p m , fa), w m ) G L(C V ). By induction hypothesis, we have C, (p*, Wi 
), lab |= fa for all* < to and C, (p m , w m ), lab |= fa\ thus C, (p, w), lab |= Eil’iUfa. 

For the other cases of ip, the proofs are similar. □ 

The following theorem follows from this Lemma[2] Proposition!]] and Theorem!]] 

Theorem 4. For a given CABPDS C, a regular labelling function lab, and a CTL- 
formula ip there is an effectively computable alternating automaton Ac, v such that for 
all configurations c = ( p,w) G Cnfg the following holds: C, c, lab |= tpiff{{p,ip),w) G 
L{Ac,tp)- 

Proof Let C be an CABPDS, ip a CTL-formula, (p,w) a configuration, and lab a 
regular labelling function. We construct the CABPDS C v with (*) C, (p, w) \= <p iff 
((p, ip), w) G L(C V ) according to Lemma |2] We apply Proposition |T] to obtain: (*) iff 
((p,ip),w) G L{B(C V )) where B(C V ) is an ABPDS. Finally, by Theorem[l]we can 
conclude that there is an effectively constructable alternating £?(C v )-automaton A with 

0)iff ((p,ip),w) e L(A). □ 

4 Decidability of RAL over 1-Unbounded Models 

Throughout this section we assume that 9JI = (Agt, Q, II, n, Act, d, o,, 93, t) is an 
1-unbounded RBM where 93 is a shared resource structure consisting of a single un¬ 
bounded shared resource. Moreover, let A be a set of agents and A = Agt\A As there 
is only one resource, we can simplify the notation. We write rj for p(r), cons(a) in¬ 
stead of cons(a,r) and so on. Also, for an action profile q.a we use cons(a^) (resp. 
prod(a^)) to refer to cons(a a ) (resp. J2 ae A prod(a a )). Furthermore, for a nat¬ 

ural number x, [x]| is used to refer to a sequence 11 ... | of x lines each representing 
one element on the stack, i.e. [aA corresponds to the unary encoding of x. We write 
[0]j = e. Similarly, we use [y] H) to refer to the ternary encoding of y = [x ], for a 
natural number x. 

4.1 Encoding of an iRBM 

We define the following auxiliary functions where q is a state in 9JI, a a a joint action 
of A and a a a joint action of A: 

Amax^g) = max{cons(a^) | a .a G d A (q)} 

Acon^(g, a a) = cons(aA) + Amax^(g) 

Aprd j4 (g, a A , a A ) = Amax^g) ~ cons(a A ) + prod((«A, at A )) 


The number Amax^ (g) denotes the worst case consumption of resources of the op¬ 
ponents at g, that is the maximal amount of resources they could claim. The number 
Acon^g, a a) is the consumption of resources if A executes a a and the opponents 
choose their actions with the worst case consumption; this models a pessimistic view. 
This is valid as the proponents can never be sure to have more resources available. Fi¬ 
nally, Aprd 4 (g, a a, a A ) denotes the number of resources that need to be produced 
after (a^, n A ) was executed at q. It is the sum of the number of resources produced 
by (a a, ola), and the difference between the consumption of the estimated worst case 
behavior of the opponents and the consumption of the actions which were actually exe¬ 
cuted by A. We state the following lemma which is fundamental for the correctness of 
the encoding defined below. It justifies that we can first assume the worst-case behavior 
of the opponents before correcting this choice. 

Lemma 3. Let a = (n a ■ ex a ) be a tuple consisting of an action profile a a of A, a a 
be one of A and q be a state in 971. We have that 

(a) prod(a) — cons(a) = Aprd j4 (g, cx A , O-a) ~ Acon^g, cxa); and 

(b) the following statements are equivalent for any natural number x: 

(i) for all ex' e Act A : x > J2 aeA cons («a) + E „ e .4 cons(a a ). 

(ii) x > AeonA(q, cy.a)- 

Proof, (a) Aprd j4 (g, cxa, ol a )— Acon^g, cx A ) = Amax^g)—cons(a j 4 )+prod((a J 4 , 
a j 4 ))-( c ° n s(a A ) + Amax j 4 (g)) = prod((cr 4 , cr^)) —(cons(a 4 )+cons(o! j 4 )) = 
prod(a) — cons(a). 

(b) J2 a eA cons ( a o)+X]agA cons(a a ) < a: for all a' £ Act A iff cons(c*A)+Amax^(g) 
< x iff Acoru(g, a a) < x. 

□ 

From 971 and A, we define an r-compact ABPDS where r = [max g aAiQ .^{ 
Acon J 4 (g, a A ), Aprd A (q, ex. a, Q!a)}]i is the maximal number which is ever consumed 
or produced. 

Definition 3 (Coji.a)- The r-compact ABPDS Can ,a is the CABPDS (S, / A, F, r) where 
S = F = Q, r = {|}, and for all q £ Q, cxa £ d>A(q) we have that 

(q,[Acon A (q,a A )]i)A{(o(q, (at A ,cx A )),[Aprd A (q, cx A ,cx a)]]) \ cx A £ d A {q)}. 

It is easily seen that Can ,a is indeed an r-compact ABPDS. The purpose of Can ,a is to 
encode the outcome sets out(q, sa,v) f° r an Y sta te g and strategy s A - Let w £ {|}* 
and p £ TZc m A . We define h(w) = [rulio and lift h to configurations h((p,w )) = 
(p, h(w)), to finite or infinite sequences coci... of configurations via h(coC \...) = 
h(co)h(c±)..., and to runs h(p) = {h(n) \ k £ p}. Then, the next result states that 
runs of Can, a are the outcome sets of A. First, observe that for every strategy sa we 
have that there is a run p £ lZc m A with h(p) = out(q, sa,V ). The automaton simply 
chooses the same actions as specified by the strategy. Similarly, in the reverse case, if 
the automaton takes a transition corersponding to an action tuple cxa after the finite 
run b, then we define the strategy s A such that sa(L(6)) = cxa- We note that here it is 
important that the strategy is perfect recall and takes the hisotry of states as well as of 
shared endowments into account. 


Lemma 4 (Encoding Lemma), h : 7 Zc mA —> {out(q, sa,v) | (<b rj) £ Q x En 
and 5^4 is a strategy of A} is an isomorphism. 

Proof (Sketch). The proof is done by induction on the number of simulation steps. Let 
5^4 be a strategy and t = out{q , s^, v) the (q, sa, r))-outcome. First, we argue that there 
is a run p £ TZ-Cmt A ((<?, [tyli)) with h(p) = t. Let t l and p l be the finite version of t and 
p up to depth i > 0, respectively. We construct p step-by-step. Clearly, h(p°) = h(t°). 
Let b 1 be any finite branch in t® with final configuration (<•/, rf) and with successor states 
{(< 71 , 771 ),..., (q n , rj n )} and let the action of of the opponents be the action which led 
to (qj,r}j) given that s A {t l ) = a A , Le. o{q', (o= <?,, for 1 < j < n. By 
definition there is a transition (g', [Acon^g', cx a)\i) A{(qj, [Aprd 4 (g', ot A , | 

ex.A £ 1 < j < n}. Let k 1 be the finite branch on p l corresponding to 6 ®, by induction 
we have h(n l ) = 6 ®. The last state on k® is d = (q r , [t/ , ]i). By Lemma|3b) and the 
fact that there is a transition after 6 ®, rf > Acon .4 (q 1 . cx A )■ Thus, the transition of the 
automaton can be taken and by Lemmata), {(< 71 , [t?i]i), ■ ■ •, (qn,[Vnl 1 )} is a direct 
successor of d. 

For the other direction, let p £ lZc m A (c). The proof is done in a similar way. 
Let k 1 = (qo,Wo)... ( q n ,w n ) be a finite branch in p and assume that the automa¬ 
ton takes as next transition (q n , [Aeon A (q n , a A )]i)A{(o(q n , (a A , cx A )), [Aprd A (q n , 
cxatCxa^i) I OL A C Then, we define SA(h(K z )) = cx A . To see that s A is 

well-defined we observe that p cannot contain two finite banches b and b 1 which are 
identical. □ 


4.2 Model Checking RAL over 1-Unbounded RBMs is Decidable 

In this section we put the pieces together and show that model checking RAL over 1- 
unbounded RBMs is decidable. Before we do so, we need to extend RBMs with 
regular labelling functions 7 r : II —>• 2 < 2 xEn as done in Section 13731 for PDSs. Clearly, 
the “sate-based” labelling function tt' : // —> 2 ( - in SOI is a special regular labelling 
function with 7 r(p) = {(< 7 , rf) \ rj £ En, q £ 7 r'(p)}. From now on, we assume that n 
is regular. Our model checking algorithm builds upon model checking CTL formulae 
over CABPDSs as outlined in Theorem^] The main idea is the following. Suppose we 
want to model check SHl.qo , r) \= ((A))^ip where ((A))^ip is a flat formula and E<p is 
in negation normal formal Firstly, we construct the CABPDS C-ni .,4 which accepts the 
outcome sets of A by the Encoding LemmaED Let lab be the labelling function defined 
as: (g, [ 7 ?]i) £ lab(p) iff (g, 77 ) £ 7 r(p). Then, we have that: SOX, qo,q |= ((A))^ip if, 
and only if. Cm,A, (g, [r/li )■ lab |= E <p. By Theorem Q] this can be efficiently solved 
by constructing an alternating automaton Ac m a ,e v that accepts ((g, E 79 ), [ 7 y]i) iff the 
above equivalence is true. This shows the following result: 

Proposition 2. Let the labelling function in 9JI be regular and (( A))<p be a flat RAL- 
formula in negation normal form. Then, we can construct an alternating automaton 
Ac<m, A , e v such that ((g, E (p),[rjh) £ L(A Cm , A , e v ) if and only if S 0 l,q,r] \= ((A^p. 

9 Note that the release operator cannot occur here. 



This proposition can be applied recursively to model check an arbitrary RAL-formula 
ip, following the standard bottom-up model checking approach used for CTL* I! 11 1 . 
Firstly, the innermost (flat) formulae f> of ip are considered. By Proposition [2] we can 
compute the regular set of configurations at which each of these subformulae hold. 
Then, we replace the subformula ^ by a fresh propositions p,/. and extend the regular la¬ 
belling of 911 such that p^, is assigned the configurations at which tb is true (Theorem|4]i. 
Applied recursively, we obtain: 

Theorem 5. The model-checking problem for RAL (with shared resources) over 1- 
unbounded RBM.v is decidable. 

Proof (Sketch). The proof proceeds by induction on the formula structure. Suppose 
we want to model check 9Jl,q,r) \= {(A))Fip. The other cases are handled analo¬ 
gously. Let £ = (( B))x be any strict subformula of ip. By induction hypothesis and 
Lemma [2] we can construct an alternating automaton Ac m b ,Ex that accepts exactly 
those ((</, Ex), h(j]')) with 9ft, q ', rf |= £. Then, we replace £ in ip with a fresh propo¬ 
sition p^ and extend ir by defining n(p^) = L(A' Cm B Ex ) where A! Cm g is the au¬ 
tomaton with L{A’ c<m B Ex ) = {( q,r )) | {{q,Ex),lv\i) 6 L{Ac m<B , e x )}. We proceed 
with this procedure until the “updated” p is completely propositional. Then, we can 
apply Proposition[2]to check whether 9JT, q,rj \= ((A))Fp. □ 

5 General Undecidability Result 

In 0181 it has been shown that most variants of RAL are undecidable. This has been 
proved by reductions of the halting problem of two-counter automata d to the differ¬ 
ent model checking problems. Two counter automata are finite automata extended with 
two counters. Transitions depend on the current state of the automaton and on whether 
the counters are zero or non-zero. If a transition is taken, the automaton may change 
its control state and may increment or decrement the counters. The basic idea of the re¬ 
duction is to encode a two counter automaton as an iRBM0 Each of the two counters 
corresponds to a resource type. Agents’ actions are used to simulate the selection of a 
transition and the incrementation and decrementation of counters. The key difficulty is 
to encode the zero test, i.e. to check whether resources are available. The two counter 
automaton can check if a counter is zero or not in the transition relation by definition. 
But, if in the resource bounded model a transition should only be taken if no resources 
are available, there is nothing which can prevent the agent to take the transition even if 
it has resources available. Clearly, such an inconsistent behavior would break the sim¬ 
ulation. Therefore, a second agent, playing the role of a spoiler, is used to check that 
such inconsistent transitions result in a “fail states” which cannot be used to witness an 
accepting run of the automaton. Then, it is shown that the two-counter automaton halts 
on the empty input iff ((l^Fhalt is true in a model which encodes the transition table 
of the automaton G). In another result the authors of El also show that undecidability 
is the case for a single agent only. This is achieved by nesting modalities and letting the 

10 We note that we show undecidability over iRBMs. Such undecidability result are stronger 
than for RBMs as the former is a special case of the latter. 



agent itself play the role of the spoiler: the two-counter automaton halts on the empty in¬ 
put iff ((l))'l'(-i((l))'*'Xerr)Uhalt. These undecidability proofs can be (directly) adapted 
to our setting; actually, due to the shared resources the technicalities are even simpler. 
We note that the undecidability proof does not require the full expressivity of strategies 
as dedined in this paper. Strategies which only take the history of states into account 
are sufficient to encode the behavior of a two-counter automaton. This corresponds to 
the fact that the automaton takes transitions based on the control states and whether the 
counters are zero or non-zero, but not the actual counter value. We refer to 13181 for 
further details about the construction. We obtain the following result: 

Corollary 2 (of If8l3l ). Model checking RAL (with shared resoures) over k-unbounded 
iRBMs with k > 2 is undecidable, even in the following restricted cases: 

1. In the case of a single agent and a fixed formula of the form ((1))^( —i((l))'*'X"p)C/q. 

2. In the case of two agents and a fixed formula of the form ((l^Fp. 

6 Conclusions 

In this paper, we have introduced a variant of resource agent logic RAL El with shared 
resources, which can be consumed and produced. We showed that the model checking 
problem is undecidable in the presence of at least two unbounded resource types. Our 
main technical result is a decidability proof of model checking RAL with one shared, 
unbounded resource type. Otherwise, we impose no restrictions, in particular nested 
cooperation modalities do not reset the resources available to agents. This property is 
sometimes called non-resource flatness. In order to show decidability, we first show 
how CTL can be model-checked with respect to (compact) alternating Biichi pushdown 
systems extending results on model checking CTL over pushdown and alternating push¬ 
down systems II15I5W . A compact alternating Biichi pushdown system allows to read and 
to pop more than one symbol from its stack at a time. It is used for encoding resource 
bounded models in order to apply the automata-based model checking algorithm. 
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